Symptoms
See technical description.
Removal instructions:
Recomandations are removing suspicious entries in hives
HKCU and HKLM at
\Software\Microsoft\Windows\Current Version\Run or
\Software\Microsoft\Windows\Current Version\Runservices
install the latest patches and change passwords on all accounts with administrator rights, and also check for bogus user accounts with administrator rights (created by the virus) and delete them.
Please see description for Backdoor.SDBot and Backdoor.RBot
Analyzed By
Patrik Vicol, virus researcher
Technical Description:
Backdoor.BotGet.Ftp?.Gen detects scripts used by some malicious IRC bots (eg: SDBot / Rbot) and worms (eg: Lovgate) in propagation from one computer to another.
A worm/bot installed on a machine searches for other computers in the same network or even in the internet. Once it finds a computer, it sends a malformed TCP packet that will cause the target computer to execute the content of the packet (which is a batch script - Backdoor.BotGet.FtpA.Gen)
Files detected are
Backdoor.BotGet.FtpA.Gen is a batch file that runs system utility FTP.EXE with a ftp script that downloads the worm on the victim computer and executes it, deletes the ftp script and then it deletes itself (the ftp script is detected as Backdoor.BotGet.FtpB.Gen)
Computers on which such files are detected are most likely to lack security patches (windows updates) for the Windows operating system (see
Backdoor.SDBot /
Backdoor.Rbot descriptions) and/or have weak passwords on accounts with administrator rights.
Usually, if such a file is found on a computer in a LAN, it is very possible that other systems may have been compromised as well.
SHARE
THIS ON